GDPR and Employment Law Flashcards
What legal bases might be appropriate for processing employee personal data?
- Fulfilment of an employment contract (contractual necessity)
- Legal obligation (note - must be an obligation under EU or member state law)
- LI of the employer
- Consent
Give an example of when LI might be grounds for an employer to process employee personal data
When migrating information from one data management system to an other
Note LI cannot be adverse to employees rights and freedoms
And cannot be used as grounds for processing SC data
What type of organisation cannot rely on legitimate interest as a basis for processing employee personal data?
Public authorities
What is a works council?
Kind of like an internal trade union
They have considerable power in some countries (especially Germany)
In some places there is a duty to notify works councils on any changes that involve the rights of the employees (e.g. roll out of new systems)
In some cases, they might need to authorise the proposed change
Is an employer responsible for employee processing of personal data on a BYOD device?
As a data controller, the employer is responsible for any personal data processed for work purposes, using the work software (e.g. email suite)
What should employers do to minimise the risk of having allowing BYOD?
- Put in place a BYOD policy that explains how employees can use BYOD devices and their responsibilities
- This should align with employment law and GDPR, Aim to protect personal data (e.g. employee / customer / sponsor data) as well as organisational data and IP, trade secrets etc. And should Mitigate network risks
- Should know where data processed via the device is stored and the measures required to keep the data secure
- Ensure transfer of data from the device to company servers is secure, to avoid interception
- Know how to manage data if employee leaves or device is lost (e.g. mobile device management software - to locate and remove data on demand)
- Tell employees the consequences of signing up, and the information the company will be able to access
Again, employer must have a legal basis for processing personal data
If a company mandates BYOD, what would they need to do in order to get valid consent for this?
You can’t really get GDPR compliant consent when this is mandated.
If you want to show that people have validly consented to BYOD, you have to give them an alternative
What is sandboxing software (context = BYOD)?
A type of mobile device management tool
Software which ring fences the corporate information to a specific area of the phone (so that if you need to remote wipe it, you can do so without deleting the person’s own data)
Give examples of why you might want to monitor employees
Investigating employees (e.g. misconduct) Improving efficiencies (e.g. desk occupancy and densification) Supporting the employee (e.g. workload monitoring?)
What is a DLP tool and what is it used for? What are the data protection implications?
Data Loss Prevention tools
Typically used to protect IT infrastructure and confidential information from internal and external threats but involve processing employee personal data
This means data needs to be held securely, accessed only by those with a legitimate reason and then deleted when there is no longer a need to hold onto it.
If you are planning to monitor employee data, what do you have to do to ensure this is lawful?
The monitoring must be:
- Necessary (consider less intrusive methods first. Conduct DPIA etc)
- Proportional (linked to minimisation principle)
- Transparent (have employees been clearly informed? Is there an acceptable use policy in place)
- Legitimate (do you have lawful grounds for collecting and using the data? This will often mean relying on the LI balancing test. Collection of sensitive data is likely to be problematic)
Data must also be held securely, accessed only by those with a legitimate reason and then deleted when there is no longer a need to hold onto it.
Can an employer argue that a lack of workplace privacy is acceptable if employees have been clearly informed of the monitoring that will be carried out?
No
Don’t forget that monitoring also needs to be necessary, proportional, and legitimate as well as transparent
And on the transparency point, employers should also introduce an acceptable use policy (AUP)
If an employer is using CCTV to monitor employee behaviour in certain areas, what could they do to make this more proportional?
They might want to consider whether they also need to record audio (is that actually necessary for the purpose)
This may be less intrusive (and would avoid picking up audio from people in the background)
If you are going to implement a whistle-blowing scheme, what are some of the things you need to take into account (nb you have to have one if you’re a US company required to comply with SOX)
- Transparency (policy which explains to people their ability to report violations and how their information will be treated)
- Maintain security and confidentiality of the reports submitted
- Under EU law, we really, really strongly discourage anonymous reporting (concerned that this could allow malicious reports to be made). So you should ask people to identify themselves when they make allegations, but then you keep them confidential.
- So try to not to encourage anonymous reporting in EU (although you may need to recognise that it’s possible)
- Under EU law, if the report can’t be proven, the allegation should be deleted after a short period time (say 3-6 months).
- Under EU law restrictions on what can be reported under whistle-blowing and this varies massively by member state (some say only financial issues, others have much wider options)
- Some states have restrictions on who can be reported under whistle blowing schemes (e.g. can only report people of a certain seniority)
- general GDPR rights apply (e.g. have to tell someone if an allegation has been made about them, and they can say if they want to make changes, international transfers etc)
Are anonymous whistle blowing schemes encouraged under EU law?
No! In fact, they’re strongly discouraged, and some local DPAs will consider a scheme illegal if it mentions the ability to make anonymous reporting (as they feel this could encourage malicious complaints)
This doesn’t mean that the allegation isn’t confidential btw
